Heimdall Bogus Subscribers Attack Incident
- Happened from 2023-07-30-2023-08-01, or something like that
- Bunch of bots started to sign up for Simplified Chinese, like 300 people
- Felt great, yeah, here we go
- So I moved forward with the Project Naroo migration, added new languages
- Now I got a bunch of people signing up for
taTamil. Like 40 people - Something was weird.
- One thing in common was that both lists that got tons of subscribers were the last list on Listmonk.
- Seemed like an attack of some sort. I tried emailing a handpicked few, but none replied.
- The emails were very authentic-looking, though. So it took a lot of work to tell which one was bogus or not.
- So I tried adding an empty list and explicitly said "do not subscribe" on the list. Sure enough, a bunch of people still signed up. Look at these messes. Also, don't they look so authentic?
- One odd thing was that usually when a subscriber signs up for Heimdall, the name field was the handle from the email company. These bogus subscribers had something like UUID.
- Anyways, so I had to inspect all subscribers and batch-delete 400 subscribers.
- Also, blocked public subscription page.
- Under Attack? Spike in Bot Users · Issue #1413 · knadh/listmonk
- Why did anyone do this?
- I am not sure, but one thing for sure is that now I got a warning from AWS. A competitor in the space?
